06/06/2016

California Lawmakers and Cybersecurity Legislation

by ZixCorp

Last week California legislators took more steps that they believe will protect the state’s IT systems from hackers. The Assembly unanimously voted to force the current administration to implement - by July 0f next year - a response plan for cybersecurity threats to state critical infrastructure. The bill’s author, Assemblyperson Jacqui Irwin, is attributed with saying “Ensuring that these preparations are made for cybersecurity will make our state networks more resilient, improve response coordination, reduce recovery time and costs and ultimately limit the damage that is done.” Other bills, both in the Assembly and in California’s upper house, the Senate, placed or will place further actions and responsibilities on state agencies; not only to protect data and infrastructure, but also to force improved communications between these agencies.

These actions are to be applauded and are no surprise to us here at Zix. In March of this year, during a live interview with Michael Salvatore, our Certified Information Privacy Technologist, we discussed security issues that had previously plagued California, and the actions that had been taken to protect infrastructure. This included groundbreaking legislation that has since been copied by other U.S. states and in other countries around the world.

What had spurred these actions? On April 2, 2002, the Stephen P. Teale Data Center, a state-operated data storage facility in north Sacramento, was breached. That data center housed the personal details of 265,000 California state employees – their social security numbers, first and middle initials, last names, and payroll deduction amounts. Although the breach occurred on April 5, 2002, it was not discovered until May 7, 2002, and employees were not notified until May 21, 2002. During the investigation, it was discovered that the server that had been breached actually sat outside the data center’s firewall.

Soon after this, California State Senator Steve Peace announced that he would be delving into these issues and it is he who is attributed with spearheading the passage of Senate Bill 1386 though the California Senate. SB 1386 created a requirement for notification to be made to any and every resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Hence even out-of-state corporations that have personal information relating to California residents fall under this statute.

More information on California’s cybersecurity laws and how it has influenced privacy legislation across the U.S. can be heard in the recording of our Zix Webinar.